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Abstraction and refinement is widely used in software development. Such techniques are valuable 
since they allow to handle even more complex systems. One key point is the ability to decompose a 
large system into subsystems, analyze those subsystems and deduce properties of the larger system. 

As cyber-physical systems tend to become more and more complex, such techniques become more 
appealing. 

In 2009, Oehlerking and Theel presented a (de-)composition technique for hybrid systems. This 
technique is graph-based and constructs a Lyapunov function for hybrid systems having a complex 
discrete state space. The technique consists of (1) decomposing the underlying graph of the hybrid 
system into subgraphs, (2) computing multiple local Lyapunov functions for the subgraphs, and fi¬ 
nally (3) composing the local Lyapunov functions into a piecewise Lyapunov function. A Lyapunov 
function can serve multiple purposes, e.g., it certifies stability or termination of a system or allows to 
construct invariant sets, which in turn may be used to certify safety and security. 

In this paper, we propose an improvement to the decomposing technique, which relaxes the graph 
structure before applying the decomposition technique. Our relaxation significantly reduces the con¬ 
nectivity of the graph by exploiting super-dense switching. The relaxation makes the decomposition 
technique more efficient on one hand and on the other allows to decompose a wider range of graph 
structures. 
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1 Introduction 

In this paper, we present a relaxation technique for hybrid systems exhibiting dense graph structures. 
It improves the (de-)compositional technique proposed by Oehlerking and Theel in ifTOl . The relax¬ 
ation results in hybrid systems that are well suited for (de-)composition. This increases the likeliness of 
successfully identifying Lyapunov functions. 

Throughout the paper, in order to ease readability we will simply write “decomposition” or “decompo- 
sitional technique” instead of “(de-)composition” or “(de-)compositional technique”. 

Stability, in general and for hybrid systems in particular, is a very desirable property, since stable sys¬ 
tems are inherently fault-tolerant: after the occurrence of faults leading to, for example, a changed en¬ 
vironment, the system will automatically “drive back” to the set of desired (i.e., stable) states. Stable 
systems are therefore particularly suited for contexts where autonomy is important such as for depend¬ 
able assistance systems or in contexts where security has to be assured in an adverse environment. 
Modeling such real world systems often involves the interaction of embedded systems (e.g., a con¬ 
troller) and its surrounding environment (e.g., a plant). Examples of such systems are automatic cruise 
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controllers, engine control units, or unmanned powerhouses. In all these examples, an optimal operating 
range should be maintained. Although it is sometimes possible to discretize physical relations (using 
sampling) or to fluidize discrete steps (having a real-valued count of objects) it is more natural and less 
error-prone to use hybrid systems for modeling and verification. This is due to the fact that hybrid 
systems allow both: the representation of discrete and continuous behavior. 

For hybrid systems with a complex discrete behavior, the technique proposed in ITOll decomposes the 
monolithic problem of proving stability into multiple subproblems. But if a hybrid system exhibiting a 
complex control structure - in the sense of a dense graph structure - is decomposed, then the blow-up 
can be enormous. The result is a high number of subproblems that must be solved - this is not bad per 
se. But since the decompositional technique requires to underapproximate the feasible sets of each sub¬ 
problem - when applied to often - results in the feasible set becoming empty. The relaxation technique 
presented in this paper reduces the number of steps required by the decomposition and, therefore, the 
number of underapproximations. This has two benefits: the runtime is reduced as well as the effect of 
underapproximations is minimized. 

This paper is organized as follows. ISection 2l gives a brief overview on related work. In ISection 3l 
we define the hybrid system model, the stability property, an adaptation of the Lyapunov Theorem, and 
briefly sketch the idea of the decompositional proof technique. ISection 4l describes our improvement 
to that proof scheme. In ISection 5l we apply the relaxation to prove stability of three examples. The 
first example is the automatic cruise controller which is the motivating example for the decompositional 
technique. The second example is abstract and shows what happens if decomposition is applied to 
complete graph structures. The last example is a spidercam that exhibits a dense graph structure for which 
proving stability using decomposition is not possible. Finally, in lSectiorThl we give a short summary. 


2 Related Work 

In contrast to safety properties, stability has not yet received that much attention wrt. automatic proving 
and therefore, only a few tools are available. Indeed only the following automatic tools - each special¬ 
ized for specific system classes - are known to the authors. Podelski and Wagner presented a tool in 
ma which computes a sequence of snapshots and then tries to relate the snapshots in decreasing se¬ 
quence. If successful, then this certifies region stability, i.e., stability with respect to a region instead 
of a single equilibrium point. Oehlerking et al. [91 implemented a powerful state space partitioning 
scheme to find Lyapunov functions for linear hybrid systems. The RSolver by Ratschan and She ifTSl 
computes Lyapunov-like functions for continuous system. Duggirala and Mitra Q combined Lyapunov 
functions with searching for a well-foundedness relation for symmetric linear hybrid systems. Prabhakar 
and Garcia lIT^ presented a technique for proving stability of hybrid systems with constant derivatives. 
Finally, some Matlab toolboxes (YALMIP |21, SOSTOOLS ifTTl ) that require a by-hand generation of 
constraint systems for the search of Lyapunov functions are available. These toolboxes do not automati¬ 
cally prove stability but assist in handling solvers. 

Related theoretical works are the decompositional technique by Oehlerking and Theel ififil . which 
we aim to improve, and the work on pre-orders for reasoning about stability in a series of papers by 
Prabhakar et al. l[T4l [131 [El whose aim is a precise characterization of soundness of abstractions for 
stability properties. In contrast, our vision is an automatic computational engine for obtaining Lyapunov 
functions. The technique and tool presented in |[T6l is also based on abstractions. Unfortunately, their 
technique is restricted to hybrid systems whose differential equations have constant right hand sides 
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while our technique is more general. However, the techniques are not even mutually exclusive and have 
the potential to be combined. 

3 Preliminaries 

In this section, we give the definitions of the hybrid system model, global asymptotic stability, and 
discontinuous Lyapunov functions. Furthermore, we sketch the decomposition technique of lITOl . 
Definition 1. A Hybrid Automaton Ti is a tuple {V,A4,T,Flow,Inv) where 

• V is a finite set of variables and S = is the corresponding continuous state space, 

• Ad is a finite set of modes, 

• T is a finite set of transitions {ni\,G,U,m 2 ) where 

— mi, m 2 € Ad are the source and target mode of the transition, respectively, 

— G QS is a guard which restricts the valuations of the variables for which this transition can 
be taken, 

— U : S ^ S is the update function which might update some valuations of the variables, 

• Flow : Ad —7> [<S ^ "^(5)] is the flow function which assigns a flow to every mode. A flow f C 
S —> V{S) in turn assigns a closed subset ofS to each xgS, which can be seen as the right hand 
side of a differential inclusion x € /(x), 

• Inv : A4 ^ V{S) is the invariant function which assigns a closed subset of the continuous state 
space to each mode m € Ad, and therefore restricts valuations of the variables for which this mode 
can be active. 

A trajectory ofT-L is an infinite solution inform of a function T(t) = (x(t),m(t)) over time t where x(-) 
describes the evolution of the continuous variables and m(-) the corresponding evolution of the modest^ 
Roughly speaking, stability is a property basically expressing that all trajectories of the system eventu¬ 
ally reach an equilibrium point of the sub-state space and stay in that point forever given the absence of 
errors. For technical reasons the equilibrium point is usually assumed to be the origin of the continuous 
state space, i. e. 0. This is not a restriction, since a system can always be shifted such that the equilibrium 
is 0 via a coordinate transformation. In the sequel, we focus on asymptotic stability which does not re¬ 
quire the equilibrium point to be reached in finite time but only requires every trajectory to “continuously 
approach” it (in contrast to exponential stability where additionally the existence of an exponential rate 
of convergence is required). 

In the following, we refer to x^v' € R^^ I as the sub-vector of a vector x € R^ containing only values of 
variables in V' C V. 

Definition 2 (Global Asymptotic Stability with Respect to a Subset of Variables ||8]). Let FL = (V, Ad, T, 
Flow, Inv) be a hybrid automaton, and let V' GV be the set of variables that are required to converge 
to the equilibrium point 0. A continuous-time dynamic system FL is called Lyapunov stable (LS) with 
respect to V' if for all functions X|v'(-)> 

V£ > 0 : 35 > 0 : Vf > 0 : I |x(0) 11 < 5 => I |x;v' (f) 11 < 

FL is called globally attractive (GA) with respect to V' if for all functions x^y/(-), 

lim x^y/(t) = 0 , /. e.,Ve > 0 : 3to > 0 : Vf > fo : | |x 4 .v' (011 < 

’ Note, that definition of trajectories given here is for real time, i. e., f e ]R>o while solutions of the relaxed hybrid automaton 
in lSectiondl require a corresponding definition of trajectories for dense time, i. e., f e N x ]R>o. However, as there is only little 
difference in our setting and we do not directly reason about the solutions of the relaxation, we omit corresponding definitions. 
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where 0 is the origin o/RI^ L If a system is both globally stable with respect to V and globally attractive 
with respect to V', then it is called globally asymptotically stable (GAS) with respect to V'. 

Intuitively, LS is a boundedness condition, i. e., each trajectory starting 5-close to the origin will remain 
£-close to the origin. GA ensures progress, i. e., for each e-distance to the origin, there exists a point 
in time to such that afterwards a trajectory always remains within this distance. It follows, that each 
trajectory is eventually always approaching the origin. This property can be proven using Lyapunov 
Theory |6l. Lyapunov Theory was originally restricted to continuous systems but has been lifted to 
hybrid systems. 

Theorem 1 (Discontinuous Lyapunov Functions for a subset of variables f8]). LetT-L = (y,A4,T,Flow, 
Inv) be a hybrid automaton and let V' CV be the set of variables that are required to converge. If for 
each m € A4, there exists a set of variables V,,, with V' C Vm C V and a continuously differentiable 
function V,„ : 5 —)■ R such that 

1. for each m € Ai, there exist two class K°° functions Ot and j3 such that 

yxGlnv{m) : a(||x|v,||) < I4«(x) < ^ (| |x;v„, 11), 


2. for each m € Ai, there exists a class K°° function y such that 

Vx E Invfm) : V^{x) < -/(I |x;v,„ 11) 

for each V„fx) E /(x)^ /(x) E FZow(m)|, 

3. for each {mi,G,U,m 2 ) E T, 

VxEG:F,„,(I/( x) (x), 

then % is globally asymptotically stable with respect to V and Vm is called a local Lyapunov function 
(LLF) ofm. 


In ITheorem 11 

and a flow function /(x). Throughout the paper we denote by mode constraints the constraints of Type 1 


/(x)) denotes the inner product between the gradient of a Lyapunov function V 


and Type 2 and by transition constraints the constraints of Type 3 


Decompositional Construction of Lyapunov Functions 

In this section we briefly introduce the decompositional construction of Lyapunov functions for self¬ 
containment and refer to ifTOl for the details. 

The decomposition technique introduces a so-called constraint graph. In the constraint graph, vertices 
are labeled with mode constraints and transition constraints for self-loops, i. e., mi = m 2 while edges 
are labeled with transition constraints for non-self-loops, i. e., mi 7 ^ m 2 . Obviously, any solution to the 
constraint graph is a solution to lTheorem II The graph structure is exploited in two ways: 

1) The constraint graph is partitioned into finitely many strongly connected components (SCCs). A 
trajectory entering an SCC of the corresponding hybrid automaton may either converge to 0 within 
the SCC or leave the SCC in finite time. In any case, once entered, an SCC might not be entered 
again. This allows us to compute LLFs for each SCC separately. 

2) Each SCC is further partitioned into (overlapping) cycles. LLFs for modes in a cycle can also be 
computed separately but compatibility - wrt. constraints on the edges - has to be assured somehow. 
Compatibility can be guaranteed if the cycles are examined successively in the following way: A cycle 
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(b) After a Reduction Step 



(c) Selection of a Mode to Split 



(f) After a Reduction Step 


Figure 1: A Sketch of the Decomposition 


is selected and replaced by an underapproximation of the feasible set of its constraints, i. e., finitely 
many solutions (candidate LLFs) to the constraints of that cycle. Since the constraints describe a 
convex problem, conical combinations of the candidate LLFs satisfy the constraints, too. This step is 
called a reduction step. The reduction step collapses all vertices that lie only on that cycle and replaces 
references to LLFs in the constraints of adjacent edges by conical combinations of the candidate 
LLFs. This allows us to prove stability of each cycle separately while, cycle-by-cycle, ensuring 
compatibility of the feasible sets of the (overlapping) cycles. 


The reduction step is visualized in Figure la and Figure lb In the former, a cycle is selected and in 
the latter, the cycle is replaced by a finite set of solutions of the corresponding optimization problem 
- visualized by collapsing the cycle into a single vertex. 

The reduction step is more efficient if the cycle is connected to the rest of the graph by at most one 
vertex. We call such a cycle an outer cycle and the vertex a border vertex. On one hand, if the graph 
contains an outer cycle, then the cycle can be collapsed into a single vertex which replaces the border 
vertex. Thus, the feasible set of the cycle’s constraints is replaced by a set of candidate LLFs. On the 
other hand, if the graph does not contain an outer cycle, then another step, called a mode-splitting step, 
is performed. In the mode-splitting step, a single vertex is replaced by a copy per pair of incoming and 
outgoing edges. This is visualized Figure 2 In Figure 2a| vertex 1 is connected to four other vertices by 



Figure 2: The Mode-Splitting Step 
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two incoming and two outgoing edges. In Figure 2b] vertex 1 is replaced by four copies, where each one 
is connected to exactly one incoming and one outgoing edge. Depending on the order in which vertices 
are chosen for mode-splitting, one can make a cycle connected to the rest of the graph by exactly one 
vertex and then perform a reduction step. Clearly, the order of mode-splitting and reduction steps does 
not only affect the termination of the procedure, but also the size of the graph and, therefore, the number 
of cycles that have to be reduced. With a good order of reduction and mode-splitting steps, one ends up 
with a single cycle for which the following holds: The successful computation of candidate LLFs implies 
the existence of a piecewise Lyapunov function for the whole SCC. 

Continuing on the example given in Figure 1 In Figure lc| there are no outer cycles, thus, a mode¬ 
splitting step is performed: the vertex a is selected, copied twice, and each path is routed through one 
copy. The result is shown in Figure Id Since the result contains outer cycles, we can select an outer 


cycle as in Figure le and perform another reduction step resulting a single cycle being left. Figure If 
shows the result. 


Automatically Computing Lyapunov Functions 

To compute Lyapunov functions needed for decomposition as well as for the monolithic approaches each 
Lyapunov function is instantiated by a template involving free parameters. Using this Lyapunov function 
templates a constraint system corresponding to ITheoremU is generated. Such a constraint system is 
then relaxed by a series of relaxations involving 1. the so-called S-Procedure Q which restricts the 
constraints to certain regions and 2. the sums-of-squares (SOS) decomposition ifT/l which allows us 
to rewrite the polynomials as linear matrix inequalities (LMI). These LMIs in turn can be solved by 
Semidefinite Programming (SDP) O. Instances of solvers are CSDP fT] and SDPA [41]. These solvers 
typically use some kind of interior point methods and numerically approximate a solution. While this is 
very fast, such numerical solvers sometimes suffer from numerical inaccuracies. Therefore, constraints 
may be strengthened by adding additional “gaps”. These gaps make the constraints more robust against 
numerical issues but sometimes result in the feasible set becoming empty. 

These the gaps further limit the use of the decomposition as each reduction now “doubly” shrinks the 
feasible set: via gaps and via computing hnitely many candidate LLFs. 


4 Relaxation of the Graph Structure 

In this section, we show how the decomposition can be improved by our graph structure-based relaxation. 
Consider the underlying digraph S = (V, £) of a hybrid automaton with the set of vertices V = M. and the 
set of edges £ = {(mi,m 2 ) | 3(mi,G, U,ni 2 ) € T}. Note that the underlying graph has at most a single 
edge between any two vertices while the hybrid automaton might have multiple transitions between two 
modes. The density of the graph S is the fraction of the number of edges in the graph and the maximum 
possible number of edges in a graph of the same size, i. e., |v|(|v!-i) 

The idea is to identify a set of modes of a hybrid automaton whose graph structure is dense. This can, 
for example, be done by a clique-hnding or dense-subgraph-finding algorithm. A clique is a complete 
subgraph, i. e., having a density of lH Our relaxation then rewires the transitions such that the resulting 

^We are referring to the definition of density for directed graphs. 

^Finding the maximum clique is NP-hard. However, a maximum clique is not required, any maximal clique (with more than 
two vertices) is sufficient. Even better as we are interested in dense structures only, we can use quasi cliques. A quasi clique is 
a subgraph where the density is not less than a certain threshold. Thus, any greedy algorithm can be used. 
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automaton immediately exhibits a structure well-suited for decomposition. By “well-suited,” we mean 
that the graph structure contains mainly outer cycles. 

The reason, that our relaxation technique plays so well with the decomposition technique, is as follows: 
if a hybrid system exhibits a dense graph structure, then the decomposition results in a huge blow-up. 
This blow-up is a result of the splitting step. The splitting step separates vertices shared between cycles, 
i. e., if there is more than one vertex shared between two or more cycles, then multiple copies are created. 
Thus, the higher the density of the graph structure is, the higher the blow-up gets. Further, if many cycles 
share many vertices - as in dense graphs - then whole cycles get copied and each copy requires solving 
an optimization problem and underapproximating the problem’s feasible set. In contrast, our relaxation 
overapproximates the discrete behavior by putting each vertex in its own cycle and connecting this vertex 
by a new “fake” vertex. This reduces the number of optimization problems to be solved and the number 
of feasible sets to be underapproximated. 

In the following, we define the relaxation operator. Then we give an algorithm which applies the 
relaxation integrated with decomposition. Finally, we prove termination and implication of stability of 
the hybrid automaton which has been relaxed. 

Definition 3. The graph structure relaxed hybrid automaton Rlx{'H,A4d) = (V^,,'T'^,Flow'^,Inv^) = 
TL^ of a hybrid automaton TL = {V,A4,T,Flow,Inv) wrt. the sub-component Aid ^ At is defined as 
follows 


V« = V, 

Ai^ = yVf U {m^}, 

7 ^ = 17 ,^ 2 ) 


(mi,G, 17,m 2 ) G T, 
{mi,m2} n Adrf = 0 


(mi,G,id,mc), 


(mi,G, U,ni 2 ) G T 
{m\,m2}r\Aid 7 ^ 0 / ’ 



mc,G,17,m2) 
zero ifm = m^ 

\Flow{m) otherwise, 

0 ifm = me 

lnv{m) otherwise, 

where zero : S F{S) is a function assigning 0 to each x G <S, i. e., x G { 0 }. 

In T* in IDefinition 31 we replace each transition (mi,G, 17,m2) G T connected to at least one mode in 
Aid with two transitions: one connecting the old source mode mi with the new mode m^ and the other 
connecting me with the old target mode m 2 . We call this step a transition-splitting step where the result 
is a pair of transitions which is called split transition and the set of all split transitions is denoted by ST. 

Intuitively, the introduced mode m^ is a dummy mode whose invariant always evaluates to false and the 
flow funefion does nol change fhe valuations of fhe confinuous variables. Indeed, fhe mode cannof be 
entered and fhus, a frajeefory faking an ingoing fransifion musf, immediafely, fake an oufgoing fransifion. 
The sole reason fo add fhe mode is changing fhe sfruefure of fhe hybrid sysfem’s underlying graph: fhe 
new sfruefure confains mainly cycles fhaf are conneefed via me. 

Nexf, we show how fo infegrafe decomposifion and relaxafion. Pseudo-code of fhe relaxation function 


and a reconsfruefion funefion - which sfep-by-sfep reverts fhe relaxafion - can be found in Algorifhm 1 
and Algorifhrn2| respectively. Algorifhm3 gives pseudo-code of fhe main algorifhm. The main al- 
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Algorithm 1: The Relaxation Function 


input : A hybrid automaton T-L, a dense sub-component A4d of T-L. 
output; The relaxed version of H, a set of split transitions ST, the central mode nic. 
1 nic ^ newMode 0; 

n.M^n.Mu{m,y, 


2 

3 

4 

5 

6 

7 

8 
9 

10 

11 


'H.Flow{mc) •<— zero; 

'H.lnv{mc) ^ 0 ; 

T^n.T; 

foreach l = U,m 2 ) € Tdo 

if {nil , m 2 } n Md y 0 then 

// split the transitions into two parts 
t\ ^ (mi,G, id, me); 
ti ^ (mc,G,[/,m2); 

// replace the transition by the two parts 

n.T^{n.T\{t})yj{h,t2y, 

II keep account of split transitions 

sr^5ru{(ii,i2)} 


gorithm works as follows: Step 1) The function relax relaxes the graph structure of the hybrid au¬ 
tomaton Ti and generates the set of split transitions ST. Step 2) If the set ST is empty, then call 
applyDecomposition with the original automaton and return the result - this function applies the origi¬ 
nal decompositition technique as described in lSectionSl Step 3) Otherwise, apply applyDecomposition 
on the current relaxed form of the automaton. If the result is stable, then return the result. Otherwise, 
if the original decompositional technique has failed, then it returns a failed subgraph that is a subgraph 
for which it was unable to find Lyapunov functions. Step 4) Choose a split transition from the set ST 
which also belongs to the failed subgraph. It is then used to reconstruct a transition from the original 
hybrid automaton. Then execution is continued with step 2. Step 5) If no such split transition exists, 
then the algorithm fails and returns the failed subgraph since this failing subgraph will persist in the 
automaton. Further reverting the relaxation cannot help because no split transition is contained in the 
failed subgraph. 

Next, we prove termination and soundness of the algorithm. Here, soundness indicates that a Lyapunov 
function-based stability certificate for a relaxed automaton implies stability of the original, unmodified 
automaton. In particular, the local Lyapunov functions of the relaxed hybrid automaton are valid local 
Lyapunov functions for the original automaton. 


Termination of the Integrated Algorithm 


Theorem 2. The proposed algorithm presented in Algorithm 3 


terminates. 


Proof. The function relax terminates since the copy of the set of transitions of T-L is finite and is not 
modified in the course of the algorithm. The while-loop terminates if either an applyDecomposition 
is successful, no pair for reconstruction can be identified, or the set ST is empty. In the first two cases, 
the algorithm terminates directly. For the last case, we assume that no call to applyDecomposition is 
successful and a spilt transition is always found. Then, in each iteration of the loop, one edge is removed 
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Algorithm 2: The Reconstruction Function 

input : A relaxed hybrid automaton 7^, a set of split transitions ST, a pair of split transitions 
(tiTi). where ti = (mi,G,id,me), t 2 = {mc,G, U,m 2 ) and m^ is the central mode, 
output; A relaxed hybrid automaton TL with one split transition being reconstructed, the set of 
split transitions ST 

II reconstruct the original transition 

1 t ^ {mi,G, U,m2)\ 

II replace the split transition {t\,t2) by t 

2 7f.r^(7f.r\{ti,t2})U{t}; 

// update the set of split transitions 

3 5r^5r\{(ti,t2)}; 

// remove nic iff unconnected 

4 if Sr = 0 then 

5 L ^7f.7W\{me}; 


from ST. The set ST is finite because the relaxation function relax splits only finitely many edges. 
Thus, the set ST becomes eventually empty. Therefore, the loop terminates. □ 


Preservation of Stability 

Theorem 3. For any hybrid automaton TL and a sub-component Add, d holds: If a family of local Lya¬ 
punov functions (Vm) proving Rlx(TL,AAd) to be GAS exists, then there exists a family of local Lyapunov 
functions for TL proving TL to be GAS. 

Proof. Given ahybrid automaton TL = {V,A4,T,Flow,Inv). LetRlx{TL, Add) = {V‘^,Ad'^,T'^,Flow^,Inv'^) 
= TLK be a graph structure-relaxed version of TL where Add C Ad is the sub-component of TL that has 
been relaxed. Further, let (V,„) be the family of local Lyapunov functions that prove stability of TL^ and 
let ST be the set of split transitions - some transition may have been reconstructed. Now, it must be 
shown that Vm are valid Lyapunov functions for TL. 

The mode constraints of ITheorem II trivially hold, since Rlx alters neither the flow functions nor the in¬ 
variants, i. e., Vm G Ad : Flow^{m) = Flow{m) A/nv^(m) = lnv{m). The transition constraint also holds 
for all transitions that are not altered by Rlx or have been reconstructed, i. e., T n 7”*^. Now assume that 
t G T \ T^s an arbitrary transition for which the transition constraint does not hold. We show that this 
leads to a contradiction. Due to the definition of Rlx all transition in T\T^ are split transitions and there 
is a corresponding pair in ST. Let (ti,t 2 ) £ ST be the pair corresponding to f = (mi,G, U,m 2 ). Since 
{Vm) is a valid family of local Lyapunov function for TLK the transition constraint holds for all transitions 
in 7^. In particular, the transition constraint holds for t\ = (mi,G,id,me) and t 2 = {mc,G, U,m 2 ). Thus, 

Vx G G : Vm,{idix)) < Vm, (x) A Vx G G : F,„,(G(x)) < 14,^(x). 


It follows, that 

VX G G : Vm,{U{x)) < Vm, (x) < Vm, (x). 

Therefore, the transition constraint holds for t. But this contradicts the assumption. !i □ 

While lTheorem 3l shows that stability of the relaxed automaton yields stability of the original automaton, 
the contrary is not true. Figure 3 shows a hybrid system where the relaxation renders the system unstable. 
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Algorithm 3: The Integrated Relaxation and Decomposition Algorithm 
input : A hybrid automaton T-L, a set of modes corresponding to a dense subgraph, 
output; stable if the % is stable and failed otherwise. 

// relax the graph structure 

1 Ti,ST,mc relax 

2 while ST / 0 do 

// apply decomposition 

3 result ■<—applyDecomposition(?f); 

4 if result w stable then 

5 1^ return stable; 

// apply reconstruction 

6 if 3(fi,t2) ^ST : {ti,t 2 }nfailedSubgraph(result) / 0 then 

7 I Tf,ST •<—reconstructed,ST,(fi,t2),w7c); 

8 else 

9 return result; 

// apply decomposition on the original automaton 

10 result ^ applyDecomposition(d); 

11 return result; 


This example exploits that the relaxation may introduce spurious trajectories. This happens if there are 
transitions with overlapping guard sets connected to the central mode nic- A trajectory of the relaxed 
automaton might then take the first part of a split transition to the central mode nic and continues with 
the second part of a different split transition. A transition corresponding to this behavior might not exist 
in the unmodified hybrid aufomafon. While fhis does nol render our approach being incorreef, if may 
lead fo difficulties since fhese exfra frajeefories have fo be GAS, foo. In case of fhe sysfem in Figure 3[ 
new frajeefories are infroduced which allow a frajeefory fo jump back from fhe mode L fo H by faking fhe 
fransifions ti,t 2 - This behavior corresponds fo leaving L by fhe righf self-loop and enfering H by fhe leff 
self-loop, which is obviously impossible. However, due fo fhe updafe fhe value of x mighf increase as 
1 -|-0.01(x— l)(x — 10) > 1 for X < 1. 


In general our relaxation infroduces conservafism which is again reduced sfep-by-sfep by fhe recon- 
sfruefion. The degree of conservatism highly depends on fhe guards of fhe fransifions since fhe cenfral 
mode relafes all LLFs of modes in Add- Therefore, if more guards are overlapping, more LLFs have fo 
be compafible even if nof needed in fhe original aufomafon. 


One possibilify fo counfer-acf fhis issue is fo infroduce a new confinuous variable in fhe relaxed au- 
fomafon which is sef fo a unique value per splif fransifion: fhe updafe function of fhe firsf parf of a splif 
fransifion sefs fhe value used fo guard fhe second parf of fhe fransifion. Indeed, fhis frick discards any 
spurious frajeefories for fhe price of an addifional confinuous variable. However, since fhe values of fhaf 
variable are somewhaf artificial, a Lyapunov funclion may nol make use of lhal variable. Thus, fhis frick 
will nol ease safisfying fhe conditions of fhe Lyapunov Iheorem in general. 
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true/x := 0.9x 

n 


u 


true/x := 1 + 0.01(x — l)(x — 10) 

(a) The unmodified (stable) version. 


H 


L 


f >, 

H 

true 

C 

X = —0.2x 


X = —O.lx 


X = — 0.2x 

■ ^ 

X = 0 

1 < X < 10 

^ 1 

0 < X < 1 


1 < X < 10 

X > 1 

false 




true/x := 1 + 0.01(x — l)(x — 10) 

(b) The relaxed (unstable) version. 


Figure 3: A Hybrid System; Unstable after Relaxation 


Graph Structure 

Nodes (n) 

Edges 

Reductions 

Decomposition 

Mode- 

Splittings 

Time 

With Relaxation 
Reductions Time 

directed Ki 

1 

0 

0 

0 

0.04s 

0 

0.04s 

directed K2 

2 

2 

1 

0 

0.04s 

2 

0.04s 

directed 

3 

6 

6 

4 

0.21s 

3 

0.05s 

directed K4 

4 

12 

47 

25 

1.15s 

4 

0.05s 

directed Ks 

5 

20 

1852 

352 

13h22m 

5 

0.05s 

Spidercam 

9 

32 

753 

287 

lh46m 

9 

0.06s 

Cruise Controller 

6 

11 

7 

6 

0.060s 

6 

0.06s 


Table 1: Comparison of the Decomposition with and without Relaxation 


5 Application of the Relaxation 

In this section we present three examples where the graph structure-based relaxation suggested in this 
paper improves the application of the decomposition technique. The first example deals with the auto¬ 
matic cruise controller (ACC) of |(8l. The second example is the fully connected digraph Kj. The Kj, does 
not represent a concrete hybrid automaton but a potential graph structure of a hybrid automaton. The last 
example is a spidercam. Here, the graph is not as fully connected as the example, but its density is 
akeady too high to apply decomposition directly. 

We have implemented the decomposition and relaxation in python. ITable II gives the graph properties 
and a comparison of the number of reduction steps required by the decomposition with and without re¬ 
laxation (in the best case). The given data was obtained without actually computing Lyapunov functions 
focusing on the graph related part of the decomposition. In fact, computing Lyapunov functions for the 
spidercam via decomposition without our relaxation fails after 18 steps. 


Example 1: The Automatic Cruise Controller (ACC) 


The automatic cruise controller (ACC) regulates the velocity of a vehicle. Figure 5 shows the controller 
as an automaton. The task of the controller is to approach a user-chosen velocity - indeed the variable v 
represents the velocity relative to the desired velocity. 

The ACC is globally asymptotically stable. It can be proven stable using the original decomposition 
technique (cf. HI |71|). Indeed, the graph structure is sparse and thus, already well-suited for applying 
the decomposition technique directly. In fact, only one more cycle needs to be reduced compared to 
decomposition after relaxation (cf. ITable 111 . Even though the relaxation is not needed here, it also does 
not harm, though, it may be used for sparse graphs structures, too. 
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Zi 2 


(a) original 

1 

u 

3 2 

(b) relaxed 
Figure 4: The K^. 



Figure 5: The Automatic Cruise Controller fS] 


Example 2: The directed 


The directed K,, is a fully connected digraph with n nodes. The as well as a relaxed version of it is 
shown in [Figure 4[ In a fully connected digraph, there is a single edge from each node to each other 


node, resulting in a total number of n{n — 1) edges. The number of cycles, the decomposition technique 
has to reduce, grows very fast with n which can be seen in ITable ll In comparison, the number of cycles 
in the relaxed version of the graph grows linearly with n, assuming that the edges can be concentratec^. 
Otherwise, after the relaxation, each original node has n — I incoming and n — I outgoing edges where 
each edge connects the node with the central node rUc. Each such combination forms a cycle between nic 
and an original mode, giving a total of n(n — l)(n — 1) cycles in the worst case. This cubic growth is still 
much less than the number of reductions without relaxation. 

Such a graph might not be the result of a by-hand designed system but might be the outcome of a 
synthesis or an automatic translation. However, the fast growth of the cycles also indicates the high 
number of reduction and therefore underapproximations. 


Example 3: The Spidercam 


A spidercam is a movable robot equipped with a camera. It is used at sport events such as a football 
matches. The robot is connected to four cables. Each cable is attached to a motor that is placed high 
above the playing field in a comer of a stadium. By winding and unwinding the cables - and thereby 
controlling the length of the cables, - the spidercam is able to reach nearly any position in the three¬ 


dimensional space above the playing field. Eigure 6 shows a very simple model of such a spidercam in 
fhe plane. The fargef is fo sfabilize fhe camera af a cerfain position. The confinuous variables x and y 
denofe fhe disfance relafive fo fhe desired position on fhe axis induced by fhe cables. 


^With “concentrating edges,” we mean that edges with the same source and target node are handled as a single edge for the 
cycle finding algorithm. 
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(a) unmodified 


(b) relaxed 


Figure 6: The Simple Planar Spidercam 


In the model, we assume a high-level control of the motor engines, i. e., the movement is on axis x 
and y instead of a low-level control of each individual motor. The model has nine modes: one mode 
that controls the behavior while being close to the desired position, four modes corresponding to nearly 
straight movements along one of the axes and four modes cover the quadrants between the axes. The 
maximal velocity in the direction of each axis is limited from above by 0.6-. Thus, in the four modes 
corresponding to the quadrants, the movement in each direction is at full speed. In the four modes 
corresponding to the axes, the movement on the particular axis is at full speed while the movement 
orthogonal to the axis is proportional to the distance. In the last mode, the speed in both directions is 
proportional to the distance. 

The spidercam is globally asymptotically stable which can be proven fully automatically. However, 
it is not possible to obtain a piecewise Lyapunov function via decomposition without relaxation due 
to accumulating underapproximations of the partial solutions and the high number of cycles that have 
to be reducedHl The reason is that each time a cycle is reduced, the feasible set of a subproblem is 
underapproximated by a finite set of solutions which finally results in a feasible set becoming empty and 
no LLFs can be found. 

In contrast, relaxing the graph structure followed by applying the decomposition is successful immedi¬ 
ately. In particular, no reconstruction step is required. 


6 Summary 

We have presented a relaxation technique based on the graph structure of a hybrid automaton. The re¬ 
laxation exploits super-dense switching or cascaded transitions to modify the transitions of the hybrid 
automaton in a way that improves the decompositional proof technique of lITOl . The idea is to re-route 

^We used the implementation in SXABHYLI 01 which currently does not contain strategies to handle the situation where no 
reduction is possible. The current implementation would then simply fail. Even though, it is theoretically possible to perform 
some form of backtracking, it is hard to decide which underapproximation must be refined. 
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every transition through a new “fake” node. Thus, if in the original automaton a single transition is 
taken, then the relaxed automaton has to take the cascade of two transitions to achieve the same result. 
However, the relaxed automaton’s graph structure is better suited towards decomposition. Furthermore, 
the procedure can be automated which is very much desired as our focus is the automation of Lyapunov 
function-based stability proofs. Furthermore, in lSection~5l we successfully employed the proposed tech¬ 
nique in some examples. 

The decompositional proof technique is particularly well-suited to prove stability of large-scale hybrid 
systems because it allows: 1. to decompose a monolithic proof into several smaller subproofs, 2. to reuse 
subproofs after modifying the hybrid system, and 3. to identify critical parts of the hybrid automaton. 
All these benefits are not available when the hybrid system exhibits a very dense graph structure of 
the automaton because that would lead to an enormous number of computational steps required in the 
decomposition. The proposed relaxation overcomes these matters in the best case. If the relaxation is 
too loose, then our technique falls back to step-by-step reconstruct the original automaton. Each step 
increases the effort needed for the decomposition until a proof succeeds or ultimately - in the worst 
case - the original automaton gets decomposed. Future research will include a tighter coupling of the 
decomposition and our relaxation approach. A first step will be to not discard the progress made by the 
decomposition but reuse the “gained knowledge”. Doing so will greatly reduce the computational effort. 
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